Direct anonymous attestation (DAA) refers to an anonymous (or pseudonymous) authentication scheme intended to enable authentication of an entity without revealing the identity of the entity being authenticated. A typical DAA scheme involves a DAA issuer, a DAA signer (i.e., the entity to be authenticated), and a DAA verifier. An issuer determines that a signer is trusted and, responsive to such verification determination, issues a DAA group membership credential, or DAA credential, to the signer. This negotiation between the issuer and the signer through which the issuer verifies the validity of the signer may be referred to as a DAA join process.
After the signer has been issued a DAA credential, the signer proves its membership in a group of trusted computing platforms to the verifier by signing a message with a DAA signature that is based on the DAA credential issued to the signer and that enables the verifier to verify the validity of the DAA credential without the identity of the signer being revealed. This negotiation between the signer and the verifier through which the verifier verifies the validity of the signer's DAA credential may be referred to as a DAA sign process.
In the typical DAA scheme, the signer splits the task of computing a DAA signature between (i) a principal signer that stores a secret signing key and that has relatively limited computational and storage capabilities but relatively high security assurances and (ii) a secondary signer that has relatively greater computational and storage capabilities. Splitting the signing role between the secure but computationally limited primary signer and the less secure but computationally more powerful secondary signer reduces the burden imposed on the computationally constrained primary signer by offloading some of the processing load to the computationally more powerful secondary signer while also enabling the signer to produce relatively strong and private DAA signatures. When signing a message with a DAA signature, the principal signer signs the message using the secret signing key that it holds, while the secondary signer's contribution is to anonymize the DAA signature. The secondary signer generally is prevented from learning the secret signing key of the principal signer and, consequently, unable to produce a valid DAA signature without collaborating with the primary signer.
As part of the typical DAA join process, the primary signer may execute a series of specialized commands to prove to the secondary signer that the DAA credential issued by the issuer is valid and to provide the secondary signer with a randomizable DAA public key that the secondary signer then can use as part of its role in contributing to the DAA signature. Typically, such specialized commands may be unique to this aspect of the DAA join process and not otherwise performed by the primary signer. Consequently, the need to be able to execute such specialized commands for proving the validity of the DAA credential and generating the randomizable DAA public key may lead to increased computational cost and complexity for the resource constrained primary signer.